ipc3: handler: Add check for pipeline->source_comp being NULL #9586
Conversation
jsarha
requested review from
lgirdwood,
plbossart,
mmaka1,
lbetlej,
dbaluta and
kv2019i
as code owners
The fuzzer engine has produced crash caused by NULL pointer read that
originated from ipc_stream_pcm_free(). The crash happens when the
pipeline of the found comp_dev does not have a source_comp and
pipeline_reset() is called for it. This commit simply adds a test
for such a situation and bails out if it is found.
Here is the call stack from the situation:
#0 0x81e9317 in dev_comp_pipe_id sof/sof/src/include/sof/audio/component.h:646:25
thesofproject#1 0x81e8015 in pipeline_comp_reset sof/sof/src/audio/pipeline/pipeline-graph.c:326:22
thesofproject#2 0x81e7d1d in pipeline_reset sof/sof/src/audio/pipeline/pipeline-graph.c:393:8
thesofproject#3 0x820d7ea in ipc_stream_pcm_free sof/sof/src/ipc/ipc3/handler.c:398:8
thesofproject#4 0x8208969 in ipc_cmd sof/sof/src/ipc/ipc3/handler.c:1689:9
thesofproject#5 0x81cbed8 in ipc_platform_do_cmd sof/sof/src/platform/posix/ipc.c:162:2
thesofproject#6 0x81d10db in ipc_do_cmd sof/sof/src/ipc/ipc-common.c:330:9
thesofproject#7 0x81f87e9 in task_run sof/sof/zephyr/include/rtos/task.h:94:9
thesofproject#8 0x81f8308 in edf_work_handler sof/sof/zephyr/edf_schedule.c:31:16
thesofproject#9 0x82b4b32 in work_queue_main sof/zephyr/kernel/work.c:668:3
thesofproject#10 0x8193ec2 in z_thread_entry sof/zephyr/lib/os/thread_entry.c:36:2
thesofproject#11 0x815f639 in __asan::AsanThread::ThreadStart(unsigned long long) /src/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277:25
Signed-off-by: Jyri Sarha <jyri.sarha@linux.intel.com>
jsarha
force-pushed
the
fuzzer_fix_add_source_comp_test
branch
from
de50527
to
71afb2f
Compare
| free_req.comp_id); | ||
| return -EINVAL; | ||
| } | ||
|
|
There was a problem hiding this comment.
Could we have the check in pipeline_comp_reset() and make pipeline_reset() safe against condition of partially set up pipeline (with source_comp as NULL). This would fix a much larger set of cases (including IPC4) against this possibility.
There was a problem hiding this comment.
@kv2019i , sure. There just is no evidence that IPC4 would suffer from this kind of problem. But if you think that is better approach, then I can send my first fix. I decided against it and came up with this version, since I tried to avoid affecting IPC4-code, as the problem was found from IPC3.
@lgirdwood , the crash report is from IPC3. I have no idea if the same issue would be possible on IPC4, but if we want to cover IPC4 just to be safe, then that is easy. I'll make the change. |
The fuzzer engine has produced crash caused by NULL pointer read that originated from ipc_stream_pcm_free(). The crash happens when the pipeline of the found comp_dev does not have a source_comp and pipeline_reset() is called for it. This commit simply adds a test for such a situation and bails out if it is found.
Here is the call stack from the situation:
The original oss-fuzz report, for those who have access, can be found here: https://issues.oss-fuzz.com/u/1/issues/42537298